The broad scope of counterfeit campaigns and unclear boundaries of abuse make it challenging to successfully mitigate online threats targeting retail brands. There is a fine line between infringement and fair use of publicly made materials, as well as immeasurable online environments where counterfeit campaigns may live and grow. Additionally, bad actors are continuously modifying attack techniques, and have an arsenal of evasion tactics to avoid takedown.
The top counterfeit campaigns targeting retail brands consist of fraudulent advertisements on social media, pages within those platforms to sponsor ads, and counterfeit websites on the open web. In this blog, we discuss best practices to successfully mitigate each of these threat-types.
Fraudulent Advertisements and Pages
Fraudulent advertisements on social media lure victims to counterfeit websites on the open web. These ads are created through criminally-owned and compromised account pages on social platforms that often contain trademarked materials and links to malicious websites. Removal of an offending ad or page can be problematic, as brand abuse is not always obvious. Most platform authorities will require unmistakable evidence of fraud, and security teams should submit clear incidents of abuse.
Most of the top social media platforms have individual reporting features to communicate malicious activity on an ad or page. To pursue takedown, security teams should provide all information directly or indirectly related to suspicious activity. This includes fraudulent sponsored advertisements and links to any unauthorized content. When reporting abuse, security teams should submit as much evidence as possible to eliminate any doubt that infringement is occurring. Mitigation criteria includes:
- Logos
- Copyrighted material
- Trademarks
- Active links to sites hosting malicious content
- Look-alike domains
- Any available context around the offending ad or page
Fraudulent advertisements on social media are easy to create and modify, and may be altered by threat actors to appear generic after abuse has been reported. To reveal past abuse, security teams should use platform security feeds to submit as proof of former misconduct.
It is particularly helpful to establish relationships with platform providers to expedite the removal of malicious activity.
Counterfeit Websites and Malicious Domains
Counterfeit websites often use malicious domains to appear legitimate. These domains can be hosted by a variety of providers, each with its own unique policies for takedown. Some providers may be non-compliant, in which case security teams should escalate takedown requests to an alternate host or authority.
Security teams should establish strategic relationships with a variety of providers, including:
- Registrars
- Hosting Providers
- Network System Providers (NSPs)
- Internet Service Providers (ISPs)
- Computer Emergency Response Teams (CERTs)
It is not always evident when a website or domain is supporting malicious activity. Registrars will require clear documentation proving abuse of intellectual property or a trademark, including look-alike domains, source code, and logos. To increase the odds of successful takedown, proof of related abuse should also be provided, including URLs or infrastructures hosting malicious content.
To detect malicious content affiliated with the original threat, security teams should then practice pivoting from the primary IP address to related name servers and associated domains.
Mitigation of counterfeit activity targeting retail brands can be complex. Threat-types and definitions of infringement vary, and it is not always clear when a threat is associated with counterfeit activity. To expedite the removal of unauthorized activity, organizations should proactively prioritize relationships with platforms and providers, as well as provide high-fidelity evidence that will prove abuse. Successfully mitigating online counterfeit threats can be time-consuming but should be considered critical to protecting your brand and reputation.